Article delegate-en/3625 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3623@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Trying to get selectable-SOCKS working (application level routing)
30 Jan 2007 07:37:59 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

On 01/29/07(09:03) you Timothy Brown <pdyhabdyi-bfsye3zdgr5r.ml@ml.delegate.org> wrote
in <_A3623@delegate-en.ML_>
 |> 1) DNS query for www.cnn.com is also forwarded to the upstream  
 |> SOCKS server
 |>    at localhost:9250.  This seems a bug in the implementation of  
 |> DeleGate.
 |
 |I would think this is actually the correct behavior, as what we want  
 |is for the remote side to reply with the DNS response:  It may have a  
 |different view of DNS than the host machine (e.g. in situations where  
 |you are connecting to a network via SSH where DNS internally is  
 |different than DNS externally.

Sorry, I wrote it ambiguously.
The DNS query about "www.cnn.com" which caused the problem you saw is NOT
the one which is generated by SOCKS clients (to be wrapped in UDP ASSOC
packet (CMD[3]) over SOCKS and must be relayed to the DNS server specified
in the packet, via an upstream SOCKS server).

 |delegated -v -P28222 SERVER=socks SOCKS="localhost:9250:*.cnn.com"
...
 |01/28 08:58:10.92 [16106] 1+1: [SocksV5-serv] VER[5] NMETHODS[1] [0][0]
 |01/28 08:58:10.92 [16106] 1+1: [SocksV5-serv] VER[5] CMD[1] ATYP[3] www.cnn.com:80
(SOCKS command from the client)

 |01/28 08:58:10.92 [16106] 1+1: SocksV5_udpassoc: UDP ASSOC error(V5 0)
(SOCKS command to the server)
 |01/28 08:58:12.92 [16106] 1+1: {R} [www.cnn.com]*1 q=1,a=0, s=1,r=0 (2s)

This UDP ASSOC is just generated by DeleGate itself to resolve the host
name "www.cnn.com" which is sent in the SOCKSv5 packet for TCP connect
(CMD[1]) as the destination in domain name (ATYP[3]).

The DNS server for this resolution is selected by DeleGate itself from the
implicitly given environments.  If it should be forwarded to a DNS server
(resolver at IP-address dd.dd.dd.dd) via SOCKS server at IP-address
ss.ss.ss.ss, it should be specified as RES_NS="dd.dd.dd.dd//ss.ss.ss.ss".

Moreover in your case, you restricted the destination of the SOCKS forwarding
as SOCKS="localhost:9250:*.cnn.com", which seems not include the DNS server
you inteded to be used, thus it should not be forwarded to the SOCKS server.


 |> 2) by somewhat unknown reason, the upstream SOCKS server does not  
 |> support,
 |>    accept, or surve the DNS relay over SOCKS (I'm curious about the  
 |> reason)
 |
 |This is also somewhat interesting.   I know the browser is supposed  
 |to forward the DNS query over SOCKS  (I've seen this happen but not  
 |with delegate - but since delegate shows the debug of a DNS request  
 |hitting it it seems there is no problem with the browser).   
 |RESOLV=sys does in fact work to resolve the problem but I am  
 |concerned that this may not get us where we want to go.   I have  
 |verified this problem exists in both OpenSSH 4.2p1 (shipped with Mac  
 |OS X) and 4.5p1 (downloaded separately).
 |
 |My intended behavior would be that delegate accepts the DNS request  
 |(this seems to work OK) and then forwards it to the SSH proxy based  
 |on the DNS lookup.

As long as the DNS query is sent in SOCKSv5 by UDP ASSOC from a client,
it is forwarded to the DNS server via DeleGate, possibly via upstream
SOCKSv5 server in UDP ASSOC again.
I have no experience with other SOCKS implementations, but at least
this forwarding works with chained SOCKS servers when both of them are
DeleGate :)

 |01/28 08:58:10.92 [16106] 1+1: SocksV5_udpassoc: UDP ASSOC error(V5 0)

In this log, the server might have returned some hint but DeleGate
did not record it.
I modified DeleGate to record it in DeleGate/9.4.3-pre6 which is
released today.  We'll be able to get useful information with it
about your problem.

 |I have verified via tcpdump that the remote host  
 |does not send the DNS request on, so either delegate is not  
 |forwarding the SOCKSified DNS request over the SSH connection or the  
 |SSH server or client is the source of the problem.
 |
 |But how can we be assured that delegate is actually doing the DNS  
 |lookup over the SOCKS connection?  It should.  In situations where  
 |you want to use Tor, for instance, having the DNS lookup performed by  
 |the system is very bad for cases of anonymity.


Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V